Unsupervised Learning: No. 141

😮 The governments of the “Five Eyes” (US, Australia, UK, Canada, and New Zealand) have asked the world’s largest tech companies to build encryption backdoors into their systems. But more than just asking, they also said, ”Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions’. Link

A number of people have linked APT10 (Stone Panda) with the Chinese Ministry of State Security {MSS). Link

Wireshark can be crashed with malicious PCAPs. But we knew that. Parsing = Risking. Link

Experts now suspect the use of advanced microwave-based weapons in the damage to embassy workers in Cuba. Link

China is using LinkedIn to find people at important companies to steal intellectual property from. Link

Japan is looking to invest in AI technologies that can predict crime before it happens. The system can look at traffic patterns, local economics, and many other factors as part of its algorithm. Link

Iran is running a serious information warfare campaign similar to Russia, with one major group’s mission being the confrontation of Western and Zionistic governments with extreme prejudice (my own translation). They evidently pump out tons of content in over 11 languages. Link

Another Chinese American is in trouble for stealing secrets from an American company (GlaxoSmithKline in this case) to bring the intellectual property to China—all with the backing of the Chinese government. American companies are being IP-harvested by foreign governments, and I’m not sure what is being done about it. As someone who served in the Military, and as a security professional, this really annoys me. Link

Very Good Security is an interesting new startup that does on-the-fly swapping of fake (inert) sensitive data (in your databases) with the real data that is stored securely with them. You never have to work with your sensitive data, and they don’t have access to it either. It’s just transparently proxied along whenever someone calls it from your own database. Interesting. Link

The CIA accidentally exposed access to sensitive government networks due to a firewall misconfiguration, and people likely died as a result. Link

China has approximately a million Muslims in internment camps, and according to former inmates they’re being forced to renounce their religion as part of their re-education. Not sure why this isn’t much bigger news. Nevermind, I know why. Link

Poor leadership the primary cause of burnout at a lot of tech companies. Link

Human News

There are over 5 trillion pieces of plastic garbage in the ocean, and a massive project called The Ocean Cleanup is looking to clean up to 50% of it in 5 years, and hopefully all of it by 2050. Link

Researchers have found that over 9% of adults in Japan, 22% in America, and 23% in Britain feel lonely, lack companionship, or feel isolated. There will be many studies on this, but my guess is that there are many people staying home and using social media or playing video games, combined with larger numbers leaving the workforce where lots of socializing is often done. Link

France has banned students under 15 from using personal technologies such as mobile phones and smartwatches while at school. Link

Commuters in Indonesia can pay for a ride by giving the driver a piece of plastic waste. What a brilliant way to power a cleanup effort. Link

The GDP growth rate has been revised upwards to 4.2%. Impressive. Link

Y-Combinator is about to launch a $60 million dollar basic income experiment in two states. This comes as Canada and Finland prematurely ended two programs because they weren’t working. Link

A study in China has shown that air pollution can negatively affect brain function, especially in older and uneducated men. Link

AMA — SUMMER 2018

This is my first AMA, and thanks to all the members who sent in questions! I got quite a few but they tended to converge on topics. Let’s jump in.

You recommend a lot of books. What five would you currently recommend as must-reads?

These are very future-focused, but if you’re reading this I suppose this won’t be a problem.

The War on Normal People, Andrew Yang

Supuerforecasting, Phillip Tetlock

Homo Deus, Huval Harari

The Bed of Procrustes, Nassim Taleb

Life 3.0, Max Tegmark

Can you put a permanent link on the site for your top book recommendations?

That’s a really good idea. I’ll try to find a place for it. I like the idea because it’ll force me to maintain a level of perspective when ranking what I read after a period of time. Actually, now that I look, here is a previous form of this: perhaps I’ll just keep it updated.

I do a lot of audiobooks these days, mixed in with a good amount of Kindle (on phone or iPad). I’m probably 70% audio, 25% Kindle, and 5% dead tree. Since I am a life-long Getting Things Done (GTD) person, I try to capture interesting thoughts as soon as possible, often using my pen (Fisher Telescoping Pen) and index cards.

Lately though (the last several years) I’ve been trying a different method, which is just going through the material in a full read-only mode, and then going back and creating a summary of the book. So I start with the things I immediately remember, capture those, capture anything they made me think about, and then I go and find any summaries online to see what key points they captured.

I then create a short, halfway decent summary using those other captures and/or a quick review of the table of contents and the chapters that I found most interesting. This means I usually buy both the Audible and the Kindle version of most books, so I can read them in both forms but also so that I can use the Kindle version for reference and to create my summary.

I’m way behind on it, but the goal is to have my favorite books I’ve read captured there so I can go back to their lessons quickly. This not only includes the actual content of the book, but what they made me think of at that time.

Thinking about this now, it’s become clear to me how much of my life is dedicated to reading. It costs a lot actually, and takes a ton of time. But I don’t have children, don’t watch TV, and don’t play many video games. To me, reading is the best. It’s the way to live many lives in the span of one.

What do you think of the following approach to rating risk in small to medium-sized organizations: criticality + probability – complexity (cost + effort)?

I think that makes sense, but I’m not sure it captures the true nature of the challenge. The issue isn’t necessarily knowing how to rate the risk of a given thing, but rather how to decide what the things are in the first place.

For example, if you start with a system like you have above, you’re automatically focused on technical vulnerabilites, which might not actually be the largest cause of your problems. Asset Management, for example, is often the biggest risk inside a company—regardless of size. But how would you rate that using your system above?

I think that the unfortunate truth is that there are certain core fundamentals of security defense that everyone needs, and that it takes a significant amount of experience to know, given a certain company, how to prioritize those fundamentals for the organization.

For most companies, doing the CIS 20 to any significant degree would help their program far more than most things they’re doing. But the list is often seen as either too basic, too hard, or some combination thereof.

The real trick is figuring out when you have a specific vulnerability for an organization, like an appsec issue with their website, where does fixing that issue rank in the priorities relative to ensuring the basics are done. This is the biggest challenge for a consultant type coming in to help an organization. You have to try to do the maximum good with (usually) a very limited set of resources.

In short, you have to be able to compare many different types of risk. Maybe there’s no security leadership so all the good security ideas are being smashed by the engineering manager. Maybe the website vulns really are the highest risk, and need to be fixed immediately. Maybe the company is about to lose their license to operate because they’re out of compliance. Maybe the company hasn’t yet hashed their passwords in the main application’s database. Or maybe the company has no list of what they have, and you should drop everything and start there.

As a consultant, you need to be able to take all of those types and tell the customer what to do first. This is the highest form of consulting in my view. Otherwise, you can be locked into a particular genre of security (technical, compliance, etc.) and not be able to see them all from above.

You write a lot about happiness and depression. Is this something you personally struggle with, and/or why do you find yourself drawn to the topic?

Despite the fact that I write a lot about depression, I am actually more concerned with happiness. That may sound like a distinction without a difference, but I see happiness as optimizing different types of projects to achieve maximum fulfillment. That could be for an individual, or it could be for a country. Or a planet.

As for actual depression, I’ve not really experienced it myself. There was a moment in like 2010 where I felt really bad, but it lasted like 4 hours and has never happened since. And I actually know the cause.

I do have significant personal experience with it, however, as many of my friends and associates deal with it regularly. So I feel I’m watching it closely, both at the internet and reading scale, but also at the personal level. Again, my thing is never how to get rid of depression, but rather how to create fulfillment.

I know you don’t write about politics much in the show, but what do you consider yourself?

I honestly don’t know how to answer that well, which probably leaves you wondering why I left it in the AMA. I thought it would be useful to flounder in public on this.

I am born and raised in the San Francisco Bay Area, so my DNA is quite progressive. I also believe that there’s a big disconnect between what progressives want to do with their policies and what they actually end up accomplishing.

I also think that humans are very old organisms sculpted by evolution taking hundreds of thousands of years. This means we should be careful when we discard parts of our traditional structures, e.g., religion, family, monogamy, face-to-face interaction, etc. Rituals matter to people. There is some measure of structure and intuition and tradition that brings joy to humans.

So the question becomes how to merge these things together into some kind of centrist, freedom-based, progressive, system that still has all the right structural underpinnings to keep humans happy.

This is why I think people like Jordan Peterson are resonating so powerfully right now. He’s someone who deconstructs things, but he replaces what he breaks down with something else. The atheists I’ve been watching over the last couple of decades don’t have this quality. They tear things down without building them back up. I’ll give Sam a pass here because he has been talking about spirituality for a long time, and even wrote a book about it that he named his podcast after. But even he isn’t telling people what to do, which a lot of people need.

Jordan comes at things from a clinical psychology standpoint, so he’s used to literally giving people advice. As a consultant, I love this, and I believe it’s what people truly need. When I go to customers I don’t just poop all over what they’re doing and tell them what’s wrong. You have to tell them what to do to fix it. And that doesn’t mean giving them 4,000 options using Bhudism and Mormonism and Christianity and Islam and SANS and OWASP—and then telling them to study all of it and make a choice. No. That’s not helpful for most. Jordan takes the true consultant approach, which is giving prescriptive advice that builds on itself over time to result in material change.

Anyway, that’s what is powerful about the conservative side of the world, which I never understood before. Books by Johnathan Haid and Charles Murray really showed me a different side of conservatism I’d not seen before as a Bay Area progressive. They taught me that there is often value to old structures and old systems, and that we don’t necessarily have to keep them, but that we shouldn’t just discard them because they’re old.

This teaching combined with my deep study of evolutionary psychology really brought me to this desire for a hybrid: where we maintain our progressive goals, but are willing to use lots of different methods to get there—including a tentative embrace of certain traditional structures that give humans meaning and happiness.

So, my views are in an evolving state of flux due to how much I read, within the rough boundaries of what I described above, and I’m ok with that. Suffice it to say, however, that they don’t match anything you see on television. I vote for Neil DeGrasse Tyson (an unimportant protest vote) last time, and next time I’ll likely vote for Andrew Yang due to an extreme match on the perception of the problem and the solution.

Is there any way you can start doing videos in addition to text and audio? I like the other things, but I am finding myself most drawn to people who can make short YouTube videos to explain things.

A number of people asked similar questions. I am actually thinking about trying this.

My biggest challenge right now is graphics. These videos are best when they’re animated or when they use video. And the better the visuals the better the video. As it stands now I’d basically be doing my own graphics, using images from the internet, not much video, and then just moving through a presentation kind of like a slide deck (except it’d be an essay with visuals rather than slides with words).

I’m going to try one and see how people like it. I’ll probably beta test with members and go from there. Will keep you up to date on it.

I know you have written multiple places about getting into information security, but what would you say is the primary thing employers are looking for when they look at candidates?

I would say the magic crossover is the combination of passion and practical experience.

Passion without experience means you might not be able to execute. And experience without passion means you might just be a worker bee that doesn’t push the limits towards something interesting and new.

To be clear, that experience doesn’t have to be formal. It can be tinkering. It can be projects on GitHub. It can be a blog. It can be building things with your hands. Woodworking. Soldering. Whatever.

You just have to be someone who has active projects that you can’t help but work on. Notice that this single metric is the tangible manifestation of passion and execution. It’s the sweet spot, and as a bonus, it’s hard to fake.

What would you be doing if you weren’t in security? Or what do you find interesting as a field other than security?

If I were not doing information security, I’d be doing data science. I don’t feel like I made a bad choice or anything, especially since data science wasn’t really a thing at the turn of the century when I started. The good news is that I plan on just doing data science as well, as a side thing that I find ways to integrate into my career and projects.

What’s so interesting to me about data science—and specifically machine learning—is that it’s so tangible. It’s judged directly on how well it moves a needle in the real world. If it can’t improve an existing process, or create a better one, then it’s discarded. That’s refreshing.

So it’s the combination of its power and its practicality that makes it so attractive to me. To me, machine learning is the single most interesting technology in decades—and perhaps centuries if you factor in the ability for so many to apply it themselves to everyday problems.

Which career path would you recommend, Red Team or Blue Team?

Doing either one without the other is like clapping with one hand. I would argue that you cannot truly understand attack or defense unless you have some experience doing both. This is because a big part of the lessons come from the perspectives rather than the techniques.

Start with whichever is closest to you and available. Then spend 6 months to a year getting good at it, and then seek ways to do the other.

::

Thanks to all the members who sent in questions, and feel free to send in more as you have them. See you again in 6-12 months!

People are upset that AT&T continues to lay people off, saying it makes no sense given that they’re making great profits. I don’t think many realize that companies aren’t there to give us jobs. They’re there to make money. If they can make more money by firing everyone, that’s exactly what they would do. And many, many companies are trying their hardest, and spending millions, to get pretty close. Link

🙏 For anyone who has wanted to support the show but prefers to use Patreon, you can now support me over there as well (Patreon bought Memberful, so both systems are merged now). Thank you! Support me on Patreon

I’m currently deep-diving on Machine Learning. I have never been good at math, and now I know why. I was seldom taught WHY we were learning anything. Bad teachers are like lead in the water. Anyway, I am finding the math involved to be remarkably understandable, despite my only (barely) making it through Calculus. I couldn’t do it by hand myself, but I just need to understand enough to know how to apply it through a programming language. Jupyter Notebooks and I are about to become rather intimate. I’m currently taking Andrew Ng’s Stanford course, and it’s simply phenomenal. The other one that I’m going to redo after it is the series by 3Blue1Grey. Link

Seriously considering trying one of these keyboards. I like my current Magic Keyboard, but there’s something about a mechanical aesthetic that just feels good. One reason I’ve held off in the past is that I felt they were very Windows-oriented, but this one is aligned strongly with the Mac universe. I’ll let you know if I get one. Link

Recommendations

If you’ve been skeptical about whether or not automation is really going to affect human jobs, or whether AI is really any different than previous technical innovations, you need to watch this video. It’s the best short intro to this problem, without question. Link